Technology editor

About 254,000 Australian were exposed in the hacking of an online dating company's web servers.

Australian online dating company Cupid Media breached the Privacy Act by failing to take reasonable steps to secure the personal information of 254,000 Australians held on its dating websites, the privacy commissioner has found.

Cupid, run out of Southport on the Gold Coast, operates more than 35 niche dating websites based on users' personal profile including ethnicity, religion and location. In January last year, hackers gained unauthorised access to Cupid web servers and stole the personal information of what was reported to be 42 million users across the globe.

The 42 million figure was, however, disputed by Cupid managing director Andrew Bolton. When the breach was made public in November he said the number of ''active members'' affected was ''considerably less than 42 million''. How many non-active members details were breached was never disclosed.

Cupid Media managing director Andrew Bolton. Photo: LinkedIN

Before Wednesday the number of Australians exposed was also unknown until it was revealed by the Privacy Commissioner. The personal information included full name, date of birth, email addresses and passwords.

''This case highlights the importance of organisations conducting ongoing testing and maintenance of security systems to minimise the risk of a hack succeeding, and to ensure they are able to respond quickly if one occurs,'' Mr Pilgrim said.

''Cupid's vulnerability testing processes did allow it to identify the hack and respond quickly. Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure.''

The investigation found that at the time of the incident, Cupid did not have password encryption processes in place.

''Password encryption is a basic security strategy that may prevent unauthorised access to user accounts,'' Mr Pilgrim said. ''Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act.''

Mr Pilgrim said the incident also demonstrated the importance of securely destroying or permanently de-identifying personal information that is no longer required. He found that Cupid had not done this.

''Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk,'' he said.

''Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing of it.''

The commissioner said Cupid worked collaboratively and co-operatively with his office during the investigation.

Correction: The headline and article initially stated 245,000 Australians were exposed. This was incorrect and has been fixed. The error came about due to an error by the privacy commissioner's media office.

1 comment so far

Not one of those hackers has had the courtesy to get in touch with me. And that's why I hate dating sites.

Subscribe to ITPro

Follow Us

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.